[WIP] - [NA-000] - tfsec fixes and ignores (#171)

* first log policy using arn instead of being too open. Also ignoring rule for wildcard users in aws-auth operator * log policy for sqs * Put log policy demands a wildcard in the end, also enabling key rotation for even stack key * block public acls and policies from config bucket * Ignoring bucket rules * Enable versionning for advertisement bucket * ads bucket ignore logging * Excluding image immutability * IMDS v2 mandatory. Only authenticated requests within ec2 to metadata APIs * Enable property mandatory + tflint * metadata http_endpoint disabled * Can't ssh with metadata token disabled * terraform fmt e terraform-docs all things * Remove wrongly created doc
elastic-ipfs · Sep 7, 2022 · 6e570aa · 6e570aa
1 parent 9f70505
commit 6e570aa
Show file tree

Hide file tree

Showing 32 changed files with 248 additions and 86 deletions.
diff --git a/terraspace/app/modules/eks-auth-sync/awsauth.tf b/terraspace/app/modules/eks-auth-sync/awsauth.tf
@@ -1,3 +1,5 @@
+#Auth Sync operator needs to be able to read tags from all users.
+#tfsec:ignore:aws-iam-no-policy-wildcards
 resource "aws_iam_policy" "eks_auth_sync_policy" {
   name        = var.eks_auth_sync_policy_name
   description = "Policy that enables reading of user/role tags"

diff --git a/terraspace/app/modules/lambda-from-sns/log.tf b/terraspace/app/modules/lambda-from-sns/log.tf
@@ -18,7 +18,7 @@ resource "aws_iam_policy" "lambda_logging" {
         "logs:CreateLogStream",
         "logs:PutLogEvents"
       ],
-      "Resource": "arn:aws:logs:*:*:*",
+      "Resource": "${aws_cloudwatch_log_group.lambda_function_log_group.arn}:*",
       "Effect": "Allow"
     }
   ]

diff --git a/terraspace/app/modules/lambda-from-sqs/log.tf b/terraspace/app/modules/lambda-from-sqs/log.tf
@@ -18,7 +18,7 @@ resource "aws_iam_policy" "lambda_logging" {
         "logs:CreateLogStream",
         "logs:PutLogEvents"
       ],
-      "Resource": "arn:aws:logs:*:*:*",
+      "Resource": "${aws_cloudwatch_log_group.log_group.arn}:*",
       "Effect": "Allow"
     }
   ]

diff --git a/terraspace/app/stacks/bucket-mirror/main.tf b/terraspace/app/stacks/bucket-mirror/main.tf
@@ -71,4 +71,9 @@ resource "aws_instance" "bucket_mirror_runner" {
   volume_tags = {
     Name = "bucket-mirror"
   }
+
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
 }
diff --git a/terraspace/app/stacks/bucket-mirror/variables.tf b/terraspace/app/stacks/bucket-mirror/variables.tf
@@ -40,7 +40,7 @@ variable "s3_prefix" {
 }
 
 variable "s3_suffix" {
-  type = string
+  type        = string
   description = "Only read objects with this suffix"
 }
 

diff --git a/terraspace/app/stacks/bucket-to-indexer-lambda/bucket-to-indexer-lambda.md b/terraspace/app/stacks/bucket-to-indexer-lambda/bucket-to-indexer-lambda.md
@@ -30,6 +30,7 @@ Version:
 The following resources are used by this module:
 
 - [aws_ecr_repository.ecr_repo_bucket_to_indexer_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) (resource)
+- [terraform_remote_state.event](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) (data source)
 - [terraform_remote_state.indexing](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) (data source)
 
 ## Required Inputs
@@ -42,6 +43,12 @@ Description: Name for ECR repo. We use this repo to store bucket-to-indexer lamb
 
 Type: `string`
 
+### <a name="input_event_stack_region"></a> [event\_stack\_region](#input\_event\_stack\_region)
+
+Description: Region which output event components are deployed to
+
+Type: `string`
+
 ### <a name="input_indexing_stack_region"></a> [indexing\_stack\_region](#input\_indexing\_stack\_region)
 
 Description: Region which indexer is deployed to

diff --git a/terraspace/app/stacks/bucket-to-indexer-lambda/variables.tf b/terraspace/app/stacks/bucket-to-indexer-lambda/variables.tf
@@ -1,5 +1,5 @@
 variable "sns_topic" {
-  type = string
+  type        = string
   description = "Name of SNS topic which lambda should subscribe to"
 }
 

diff --git a/terraspace/app/stacks/dns-certificate/dns-certificate.md b/terraspace/app/stacks/dns-certificate/dns-certificate.md
@@ -0,0 +1,77 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+The following requirements are needed by this module:
+
+- <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) (>= 1.0.0)
+
+- <a name="requirement_aws"></a> [aws](#requirement\_aws) (~> 3.38)
+
+- <a name="requirement_cloudflare"></a> [cloudflare](#requirement\_cloudflare) (~> 3.0)
+
+- <a name="requirement_http"></a> [http](#requirement\_http) (~> 3.0)
+
+- <a name="requirement_tls"></a> [tls](#requirement\_tls) (4.0.1)
+
+## Providers
+
+The following providers are used by this module:
+
+- <a name="provider_aws"></a> [aws](#provider\_aws) (~> 3.38)
+
+- <a name="provider_cloudflare"></a> [cloudflare](#provider\_cloudflare) (~> 3.0)
+
+- <a name="provider_http"></a> [http](#provider\_http) (~> 3.0)
+
+- <a name="provider_tls"></a> [tls](#provider\_tls) (4.0.1)
+
+## Modules
+
+No modules.
+
+## Resources
+
+The following resources are used by this module:
+
+- [aws_acm_certificate.cert](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate) (resource)
+- [cloudflare_origin_ca_certificate.cert](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/origin_ca_certificate) (resource)
+- [tls_cert_request.cert_request](https://registry.terraform.io/providers/hashicorp/tls/4.0.1/docs/resources/cert_request) (resource)
+- [tls_private_key.private_key](https://registry.terraform.io/providers/hashicorp/tls/4.0.1/docs/resources/private_key) (resource)
+- [http_http.cloudflare_certificate_chain](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) (data source)
+
+## Required Inputs
+
+The following input variables are required:
+
+### <a name="input_bitswap_peer_record_name"></a> [bitswap\_peer\_record\_name](#input\_bitswap\_peer\_record\_name)
+
+Description: Bitswap Peer record name
+
+Type: `string`
+
+### <a name="input_cf_domain_name"></a> [cf\_domain\_name](#input\_cf\_domain\_name)
+
+Description: DNS Zone name
+
+Type: `string`
+
+## Optional Inputs
+
+No optional inputs.
+
+## Outputs
+
+The following outputs are exported:
+
+### <a name="output_aws_certificate_arn"></a> [aws\_certificate\_arn](#output\_aws\_certificate\_arn)
+
+Description: ACM Certificate
+
+### <a name="output_bitswap_peer_record_name"></a> [bitswap\_peer\_record\_name](#output\_bitswap\_peer\_record\_name)
+
+Description: Bitswap Peer record name
+
+### <a name="output_cf_domain_name"></a> [cf\_domain\_name](#output\_cf\_domain\_name)
+
+Description: DNS Zone name
+<!-- END_TF_DOCS -->
diff --git a/terraspace/app/stacks/dns-certificate/outputs.tf b/terraspace/app/stacks/dns-certificate/outputs.tf
@@ -1,15 +1,15 @@
 output "bitswap_peer_record_name" {
-  value = var.bitswap_peer_record_name
+  value       = var.bitswap_peer_record_name
   description = "Bitswap Peer record name"
 }
 
 output "cf_domain_name" {
-  value = var.cf_domain_name
+  value       = var.cf_domain_name
   description = "DNS Zone name"
 }
 
 output "aws_certificate_arn" {
-  value = aws_acm_certificate.cert.arn
-  sensitive = true
+  value       = aws_acm_certificate.cert.arn
+  sensitive   = true
   description = "ACM Certificate"
-} 
+}
diff --git a/terraspace/app/stacks/dns-certificate/providers.tf b/terraspace/app/stacks/dns-certificate/providers.tf
@@ -1,2 +1,2 @@
 provider "tls" {}
-provider cloudflare {}
+provider "cloudflare" {}
diff --git a/terraspace/app/stacks/dns-certificate/variables.tf b/terraspace/app/stacks/dns-certificate/variables.tf
@@ -1,9 +1,9 @@
 variable "cf_domain_name" {
-  type = string
+  type        = string
   description = "DNS Zone name"
 }
 
 variable "bitswap_peer_record_name" {
-  type = string
+  type        = string
   description = "Bitswap Peer record name"
 }
diff --git a/terraspace/app/stacks/dns/dns.md b/terraspace/app/stacks/dns/dns.md
@@ -9,8 +9,6 @@ The following requirements are needed by this module:
 
 - <a name="requirement_cloudflare"></a> [cloudflare](#requirement\_cloudflare) (~> 3.0)
 
-- <a name="requirement_tls"></a> [tls](#requirement\_tls) (4.0.1)
-
 ## Providers
 
 The following providers are used by this module:
@@ -19,10 +17,6 @@ The following providers are used by this module:
 
 - <a name="provider_cloudflare"></a> [cloudflare](#provider\_cloudflare) (~> 3.0)
 
-- <a name="provider_http"></a> [http](#provider\_http)
-
-- <a name="provider_tls"></a> [tls](#provider\_tls) (4.0.1)
-
 ## Modules
 
 No modules.
@@ -31,17 +25,12 @@ No modules.
 
 The following resources are used by this module:
 
-- [aws_acm_certificate.cert](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate) (resource)
 - [aws_route53_record.peer_bitswap_load_balancer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) (resource)
 - [aws_route53_record.peer_bitswap_load_balancer_ipv6](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) (resource)
 - [aws_route53_zone.hosted_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) (resource)
-- [cloudflare_origin_ca_certificate.cert](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/origin_ca_certificate) (resource)
 - [cloudflare_record.bitswap_peer](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/record) (resource)
-- [tls_cert_request.cert_request](https://registry.terraform.io/providers/hashicorp/tls/4.0.1/docs/resources/cert_request) (resource)
-- [tls_private_key.private_key](https://registry.terraform.io/providers/hashicorp/tls/4.0.1/docs/resources/private_key) (resource)
 - [aws_route53_zone.hosted_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) (data source)
 - [cloudflare_zone.dns](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/data-sources/zone) (data source)
-- [http_http.cloudflare_certificate_chain](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) (data source)
 
 ## Required Inputs
 
@@ -53,30 +42,23 @@ Description: The name of the hosted zone to either create or lookup
 
 Type: `string`
 
-### <a name="input_bitswap_load_balancer_dns"></a> [bitswap\_load\_balancer\_dns](#input\_bitswap\_load\_balancer\_dns)
+### <a name="input_bitswap_load_balancer_hosted_zone"></a> [bitswap\_load\_balancer\_hosted\_zone](#input\_bitswap\_load\_balancer\_hosted\_zone)
 
-Description: Bitswap LoadBalancer DNS. This load balancer is created and managed by Kubernetes
+Description: Bitswap LoadBalancer Hosted Zone. This load balancer is created and managed by Kubernetes
 
 Type: `string`
 
-### <a name="input_bitswap_load_balancer_hosted_zone"></a> [bitswap\_load\_balancer\_hosted\_zone](#input\_bitswap\_load\_balancer\_hosted\_zone)
+### <a name="input_bitswap_peer_record_name"></a> [bitswap\_peer\_record\_name](#input\_bitswap\_peer\_record\_name)
 
-Description: Bitswap LoadBalancer Hosted Zone. This load balancer is created and managed by Kubernetes
+Description: Bitswap Peer record name
 
 Type: `string`
 
-### <a name="input_bitswap_peer_record"></a> [bitswap\_peer\_record](#input\_bitswap\_peer\_record)
+### <a name="input_bitswap_peer_record_value"></a> [bitswap\_peer\_record\_value](#input\_bitswap\_peer\_record\_value)
 
-Description: Bitswap Peer record information
+Description: Bitswap Peer record value. This load balancer is created and managed by Kubernetes
 
-Type:
-
-```hcl
-object({
-    name    = string
-    value   = string
-  })
-```
+Type: `string`
 
 ### <a name="input_cf_domain_name"></a> [cf\_domain\_name](#input\_cf\_domain\_name)
 

diff --git a/terraspace/app/stacks/dns/main.tf b/terraspace/app/stacks/dns/main.tf
@@ -23,6 +23,6 @@ resource "cloudflare_record" "bitswap_peer" {
   name    = var.bitswap_peer_record_name
   value   = var.bitswap_peer_record_value
   type    = "CNAME"
-  proxied = true 
+  proxied = true
   ttl     = 1
 }
diff --git a/terraspace/app/stacks/dns/outputs.tf b/terraspace/app/stacks/dns/outputs.tf
@@ -1,4 +1,4 @@
 output "bitswap_loadbalancer_domain" {
-  value       = "${cloudflare_record.bitswap_peer.hostname}"
+  value       = cloudflare_record.bitswap_peer.hostname
   description = "Domain name for bitswap peer"
 }
diff --git a/terraspace/app/stacks/dns/providers.tf b/terraspace/app/stacks/dns/providers.tf
@@ -1 +1 @@
-provider cloudflare {}
+provider "cloudflare" {}
diff --git a/terraspace/app/stacks/dns/variables.tf b/terraspace/app/stacks/dns/variables.tf
@@ -21,16 +21,16 @@ variable "bitswap_load_balancer_hosted_zone" {
 }
 
 variable "cf_domain_name" {
-  type = string
+  type        = string
   description = "DNS Zone name"
 }
 
 variable "bitswap_peer_record_name" {
-  type = string
+  type        = string
   description = "Bitswap Peer record name"
 }
 
 variable "bitswap_peer_record_value" {
-  type = string
+  type        = string
   description = "Bitswap Peer record value. This load balancer is created and managed by Kubernetes"
 }
diff --git a/terraspace/app/stacks/event/auth.tf b/terraspace/app/stacks/event/auth.tf
@@ -44,7 +44,7 @@ EOF
 
 resource "aws_sqs_queue_policy" "event_delivery_queue_policy" {
   queue_url = aws_sqs_queue.event_delivery_queue.id
-  policy = <<EOF
+  policy    = <<EOF
 {
   "Version": "2012-10-17",
   "Statement": [